javaserverfaces
  1. javaserverfaces
  2. JAVASERVERFACES-2747

XSS hole: GenericObjectSelectItem incorrectly defaults to itemLabelEscaped="false"

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Won't Fix
    • Affects Version/s: 2.1.19
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      GenericObjectSelectItem defaults to itemLabelEscaped="false" which opens a possible unforeseen XSS hole. Escaping should always default to "true" and disabling it should only explicitly be done. All other JSF components do that correctly.

      Inside updateItem() method of GenericObjectSelectItem, the "false" in following block

      setEscape(((itemEscapedResult != null)
          ? Boolean.valueOf(itemEscapedResult.toString())
          : false));
      

      should have been "true"

      setEscape(((itemEscapedResult != null)
          ? Boolean.valueOf(itemEscapedResult.toString())
          : true));
      

        Issue Links

          Activity

          Hide
          Manfred Riem added a comment -

          This required a change of the spec and as such was fixed in 2.2 and won't be back ported to 2.1.

          Show
          Manfred Riem added a comment - This required a change of the spec and as such was fixed in 2.2 and won't be back ported to 2.1.
          Hide
          rogerk added a comment -

          I'll have to see what the spec says about this too.

          Show
          rogerk added a comment - I'll have to see what the spec says about this too.

            People

            • Assignee:
              Manfred Riem
              Reporter:
              balusc
            • Votes:
              3 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: